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THE  STATE’S  FINANCIAL 
REPORTING  SYSTEM 


AUDITOR  GENERAL’S 
MESSAGE 

In  201 1,  my  Office  completed  a 
comprehensive  audit  of  the  State's 
fmaneial  reporting  system.  Many  of 
you  reading  this  Advisory  provided 
information  to  my  auditors  during  the 
conduet  of  this  audit. 

The  audit's  major  eonclusions,  whieh 
are  highlighted  in  this  Audit 
Advisory,  were  that  many  of  the 
systems  used  by  State  agencies  are 
archaic,  are  costly  to  operate,  and 
are  not  interrelated  to  each  other.  It 
is  my  hope  that  this  audit  will  serve 
as  a starting  point  for  systemic 
improvements  in  the  State’s  financial 
reporting  system. 

The  Advisory  examines  the  need 
for  agencies  to  conduct  a risk 
assessment  of  their  controls  over 
confidential  infonnation,  such  as 
social  security  numbers  and  protected 
health  information.  Also,  the 
Advisory  discusses  the  need  for 
agencies  to  rigorously  can7  out  the 
annual  statutorily  required  FCIAA 
reviews,  which  would  lead  to  more 
timely  identification  of  control 
deficiencies  and  reduce  future 
audit  findings. 


WILLIAM  G.  HOLLAND 
September  20 1 1 


The  State’s  financial  reporting  “system” 
is  comprised  of  over  260  individual 
financial  systems,  many  of  which  are  not 
interrelated,  are  antiquated,  and  are  costly 
to  operate.  This  was  the  conclusion 
reached  in  the  Auditor  General’s 
management  audit  of  the  State’s  Financial 
Reporting  System,  released  in  February 
2011. 

The  report  also  concluded  that  the  lack  of 
a centralized  financial  reporting  system 
has  considerable  negative  consequences, 
including  untimely  financial  reporting  of 
the  true  financial  position  of  the  State. 

The  lack  of  timely  financial  reporting 
limits  effective  oversight  of  State 
finances,  adversely  affects  the  State’s 
bond  rating,  and  jeopardizes  federal 
funding.  See  inset  for  more  detailed 
findings  on  the  financial  systems. 

In  addition  to  the  lack  of  a centralized 
GAAP  compliant  financial  reporting 
system,  the  report  concluded  that  other 


factors  have  an  adverse  impact  on  the 
timeliness  and  accuracy  of  financial 
reporting: 

• The  Comptroller’s  Office  is  responsible 
for  financial  reporting  but  does  not 
have  authority  over  the  agencies  from 
which  it  collects  information. 
Furthermore,  there  is  no  penalty  if  the 
agencies  do  not  cooperate  with  the 
Comptroller.  The  Comptroller’s  Office 
and  the  Governor’s  Office  should  work 
together  to  establish  financial  reporting 
target  completion  dates  and  ensure  that 
such  dates  are  met. 

• The  State  of  Illinois  has  a complex  fund 
structure  that  utilized  an  estimated  900 
funds  in  fiscal  year  2009.  A complex 
fund  structure  increases  the  level  of 
effort  necessary  to  account  for  and 
report  transactions  and  increases  the 
risk  of  errors  and  omissions. 


See  SrSTEM  on  Pane  2 


Specific  Management  Audit  Findings  on  the 
State’s  Financial  Reporting  System 

• Agencies  reported  using  263  different  financial  reporting  systems. 

• Agencies  reported  that  only  16  percent  of  the  systems  are  compliant  with 
Generally  Accepted  Accounting  Principles  (GAAP). 

• Half  of  the  financial  reporting  systems  in  use  at  State  agencies  are  more  than 
10  years  old. 

• Fifty-three  percent  of  the  financial  reporting  systems  are  not  interrelated,  which 
consequently  requires  manual  intervention  to  convert  data  from  one  system  so  it 
can  be  used  in  another. 

• The  total  estimated  cost  of  maintaining  the  systems  in  fiscal  year  2010  was  not 
detemiinable.  Agencies  provided  cost  estimates  totaling  $24  million,  which 
covered  only  56  percent  of  the  systems. 
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• M;my  St;itc  agencies  have  a lack  of 
eompetenl  Irained  slalTin  the  area  of 
Unaneial  reporting  and  reported  that 
the  personnel  system  impedes  their 
ability  to  hire  t|iialilled  staff.  (See 
inset  on  the  right  for  Unaneial  report- 
ing resoiirees  that  may  be  helpful  to 
Unaneial  reporting  staff  in  carrying  out 
their  responsibilities.) 

I’he  audit  report  can  be  found  on  the 
Auditor  (ienerars  web-site  at: 
www.auditor.illinois.gov.  | 


PROTECTING 

PERSONAL 

INFORMATION 

Requirements  to  protect  personal 
information  are  outlined  in  laws  such  as 
the  Personal  Infonnation  Protection  Act 
(815  ILCS  530),  Identity  Protection  Act 
(5  ILCS  179),  and  the  federal  Health 
Insurance  Portability  and  Accountability 
Act  (HIPAA).  The  Auditor  General’s 
audits  have  consistently  identified  weak- 
nesses in  the  implementation  of  controls 
to  protect  confidential  infonnation  at  State 
agencies.  Examples  of  poor  practices 
include: 

• Sending  unencrypted  confidential 
infonnation,  such  as  Social  Security 
Numbers  or  Protected  Health 
Infonnation  (PHI),  over  the  Internet. 

• Transporting  confidential  infonnation 
on  laptops  or  storage  devices  without 
utilizing  encryption. 

• Improper  storage  or  disposal  of 
documents  containing  confidential 
infonnation. 

The  Auditor  General’s  Office  has  been 
recommending  that  agencies  perfonn  a 
comprehensive  risk  assessment  to  identify 
all  fonns  of  confidential  or  personal 
infonnation  and  ensure  adequate  security 
controls,  including  adequate  physical  and 


HELPFUL  FINANCIAL  REPORTING 
- RESOURCES  - 

Below  are  links  to  some  resources  that  contain  useful  information  regarding 
technical  Unaneial  reporting  issues,  as  well  as  general  financial  reporting 
information.  Some  non-government  sources  may  charge  a fee  for  certain  items. 

(h)vernmental  Accounting  Standards  Board  (www.gasb.org).  Contains 
information  that  specifically  impacts  governmental  accounting,  including: 

• GASB  pronouncements, 

• Implementation  guides:  provide  guidance  on  how  to  implement  various 
GASB  pronouncements, 

• Exposure  drafts,  and 

• Research  and  other  documents. 

American  Institute  of  CPAs  (www.aicpa.org).  Contains  extensive  guidance  and 
information  on  accounting  and  financial  reporting  topics.  Examples  of  materials 
on  the  AlCPA  web-site  are: 

• Audit  and  accounting  guides, 

• Audit  risk  alerts, 

• Checklists  and  illustrative  financial  statements, 

• Financial  reporting  alerts,  and 

• Practice  aids. 

eriimeiit  .Aceouiitabilitv  Office  (www.gao.gov).  Contains  documents 
such  as: 

• Government  auditing  standards  (Yellow  Book), 

• Professional  standards  updates,  and 

• Internal  control  management  and  evaluation  tool. 

Office  of  the  Comptroller  (www.ioc.state.il.us).  Contains  documents  such  as: 

• SAMS  manual, 

• Supplement  to  SAMS  Manual  Proce(^p|q|^^|q^||'^^tQ|pJleview 

, ILLINOIS  LIBRARY 

• SAMS  bulletins,  , 

• Accounting  bulletins,  and  URBANA-CHAMPAIGN 

• Payroll  bulletins.  BOOKSTACKS 

Office  of  the  Auditor  General  (www.auditor.illinois.gov).  Contains  documents 
such  as: 

• All  audit  reports,  and 

• Quarterly  summary  of  emergency  purchases. 


logical  access  restrictions,  have  been 
established  to  safeguard  data  and 
resources. 

The  first  step  in  protecting  confidential 
information  is  to  identify  where  it 
currently  exists,  and  then  to  review 
existing  control  procedures.  In  response 
to  a recent  finding  regarding  the  protec- 
tion of  confidential  information,  a State 
agency  outlined  the  results  of  a risk 
assessment.  The  agency  embarked 
on  a risk  assessment  of  computers  with 


the  intent  of  reducing  the  likelihood  of 
sensitive  data  leakage  by  eliminating  or 
protecting  sensitive  data.  The  assessment 
discovered  and  eliminated  over  4. 1 
million  social  security  numbers  and  over 
63,000  credit  card  numbers  from  agency 
computers. 

As  outlined  above,  the  results  of  the  risk 
assessment  clearly  demonstrate  the  value 
of  performing  the  exercise.  We  will  con- 
tinue to  recommend  that  all  State  agencies 
perform  their  own  risk  assessments.  ■ 
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HIGH  RISK  AREAS 


Our  compliance  examinations  identify 
certain  aspects  of  State  government  that 
expose  the  State  to  an  unacceptable  level 
of  risk.  Since  2007,  we  have  been  high- 
lighting these  high  risk  areas  in  the  Audit 
Advisory.  The  four  high  risk  areas  high- 
lighted in  this  issue  of  the  Audit  Advisory 
include  the  following:  1)  Contracting 
Processes;  2)  Subrecipient  Monitoring; 

3)  Untimely  Financial  Reporting;  and 

4)  Fraud  and  Abuse. 

1.  CONTRACTING  PROCESSES 

The  contracting  process  poses  significant 
risks  for  State  agencies  and  is  susceptible 
to  fraud  and  abuse.  There  are  a myriad  of 
ways  the  contracting  process  can  be 
manipulated  or  abused.  Consequently,  an 
agency’s  system  of  internal  controls 
related  to  contracting  needs  to  be  strong, 
monitored,  and  enforced. 

Contracting  deficiencies  have  been 
routine  findings  in  OAG  audits. 

Examples  of  contracting  deficiencies 
included:  lack  of  documentation  in  the 
procurement  file;  allowing  vendors  to 
begin  work  without  a formal  written 
agreement  in  place;  errors  in  scoring 
proposals;  and  contracts  lacking  all 
required  certifications. 

New  laws  effective  July  1,  2010, 
significantly  impacted  the  procurement 
organization,  purchasing  process  and 
vendor  requirements.  Our  examinations 
for  the  period  ended  June  30,  2011,  will 
include  reviews  of  procurements 
made  under  the  new  requirements. 

2.  SUBRECIPIENT 
MONITORING 

State  agencies’  failure  to 
adequately  monitor  sub- 
recipients has  been  a central 
finding  in  the  State’s  Single 
Audit  for  years.  The  FY 
2009  Single  Audit  included  25 
findings  and  the  FY  2010  Single 
Audit  had  19  findings  related  to 


agencies’  deficiencies  in  monitoring 
subrecipients.  Agencies  covered  by  the 
Statewide  Single  Audit  expended  $29.3 
billion  in  federal  funding  in  FY  2010,  of 
which  $5.6  billion  was  passed  through  to 
subrecipients. 

It  is  not  sufficient  for  agencies  to  simply 
pass  funding  on  to  third  parties.  Rather,  a 
system  must  be  established  to  monitor 
how  those  funds  are  being  spent  and 
ensure  these  monies  are  being  spent  for 
the  specified  purpose.  Subrecipient 
monitoring  includes  many  aspects,  such 
as  reviewing  and  receiving  grant  or  audit 
reports,  as  well  as  some  level  of  on-site 
reviews  or  inspections. 

3.  UNTIMELY  FINANCIAL 
REPORTING 

As  reported  in  our  February  2011 
management  audit  of  the  State’s  Financial 
Reporting  System  discussed  on  page  1, 
untimely  financial  reporting  poses  signifi- 
cant risks  to  the  State  of  Illinois.  These 
risks  occur  in  several  critical  key  areas. 

First,  if  reporting  on  the  State’s  financial 
position  is  delayed.  State  decision-makers 
lack  critical  information  necessary  to 
manage  the  operations  of  the  State.  In 
times  of  funding  shortfalls  as  currently 
being  experienced  by  the  State,  the  need 
for  timely  and  accurate  financial 
infonnation  is  even 
more  important. 


Second,  the  federal  government  is  in  the 
process  of  imposing  new,  more  restrictive 
time  requirements  on  states’  financial 
reporting  and  auditing.  If  the  State’s 
financial  reporting  continues  to  be 
delayed,  the  risk  increases  that  federal 
funding  to  the  State  may  be  delayed  or 
withheld. 

Finally,  untimely  financial  information 
may  have  an  adverse  impact  if  public 
users  are  not  getting  needed  information. 
For  example,  bond  rating  agencies  use 
information  in  the  State’s  financial  reports 
as  part  of  their  assessment  of  the  overall 
risk  and  bond  rating  for  the  State.  If 
needed  financial  information  is  unavail- 
able, it  may  have  an  adverse,  and  costly, 
impact  on  the  State’s  bond  rating  and 
related  borrowing  costs. 

Financial  reporting  delays  and  errors 
result  in  several  significant  effects, 
including  increased  audit  testing,  delays 
in  the  completion  of  audits,  and  delays  in 
the  preparation  of  the  Comptroller’s 
Comprehensive  Annual  Financial  Report 
(CAFR),  as  well  as  the  Statewide  Single 
Audit. 

4.  FRAUD  AND  ABUSE 

Each  State  agency  needs  to  have  a fraud 
detection  program.  Recent  audits  have 
identified  several  instances  where,  due  to 
a lack  of  adequate  internal  controls  and 
oversight,  public  funds  have  been  used  for 
undocumented  or  improper  purposes. 

Agency  managers  have  the 
responsibility  to  conduct  internal 

vulnerability  assessments  of  their 
operations  to  identify  areas 
^ ,,  where  misappropriation  of 
cx  \ State  assets  could  occur. 

• Once  those  areas  are 
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they  are  properly  designed 

and  working. 
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The  l iscal  Conlrol  and  IiUcrnal  Auditing  Act  (FC'IAA), 
enacted  in  1 989,  rctiuircs  State  agencies  to  establish,  maintain, 
and  annually  evaluate  their  internal  control  systems.  Agency 
internal  control  systems  must  reasonably  assure  compliance 
with  applieable  law  and  elTective  agency  management,  liy 
May  I of  each  year,  each  agency  is  required  to  certify  to 
the  Auditor  (ieneral  on  its  system  of  internal  liscal  and 
administrative  controls  and  its  compliance  with  the 
FCIAA  guidelines. 

While  the  annual  assessment  should  be  an  important  tool  for 
management  to  identify  internal  eontrol  weaknesses  and  take 
immediate  corrective  action,  many  agencies  do  not  appear  to  be 


effectively  completing  the  FCIAA  process.  There  are  instances 
where  the  FCIAA  certifications  agencies  filed  with  the  Auditor 
(ieneral’s  Office  show  few,  if  any,  weaknesses.  Yet,  when  the 
OAG  audits  the  agency,  weaknesses  in  internal  controls  arc 
identified  and  agency  management  agrees  with  the  auditors  that 
such  deficiencies  exist.  If  agency  management  would  more 
rigorously  conduct  their  annual  FCIAA  review,  not  only 
would  weak  agency  controls  be  strengthened  in  a timely 
fashion,  the  number  of  OAG  audit  findings  may  be  reduced. 

The  Comptroller’s  SAMS  Manual  (Procedure  02)  contains 
guidance  on  the  FCIAA  process,  as  well  as  the  Supplement  to 
SAMS  Manual  Procedure  2,  Internal  Control  Review  Checklist 
(see  box  below).  g 


COMPTROLLER’S  SUGGESTED 
INTERNAL  CONTROL  REVIEW  CHECKLIST 


An  internal  control  review  checklist  has  been  prepared  to  aid  Illinois  State  agencies  in  eonducting  reviews  of  their  systems  of 
internal  fiscal  and  administrative  controls.  The  checklist  is  based,  in  part,  on  the  “Internal  Control  Criteria  Checklist”,  “Audit 
Planning  Checklist”  and  “Checklists  for  Observation  of  Auditee’s  Management  Practices”  contained  in  the  State  of  Illinois 
Auditor  General  Audit  Guide  For  Performing  Compliance  Audits  of  Illinois  State  Agencies.  Ideas  have  been  drawn  from  this 
and  other  sources,  and  modified  to  fit  the  needs  of  the  Fiscal  Control  and  Internal  Auditing  Act  (FCIAA)  internal  control  review 
program.  The  checklist  is  organized  into  the  following  eleven  major  internal  control  review  categories: 


1.  Agency  Organization  and  Management 

2.  Administrative  Support  Services 

3.  Budgeting,  Accounting  and  Reporting 

4.  Purchasing,  Contracting  and  Leasing 

5.  Expenditure  Control 

6.  Personnel  and  Payroll 


7.  Property,  Equipment,  and  Inventories 

8.  Revenues  and  Receivables 

9.  Petty  Cash  and  Local  Funds 

10.  Grant  Administration 

11.  Electronic  Data  Processing 


This  SAMS  Supplement  notes  that  Illinois  State  agencies  are  encouraged  to  use  this  ehecklist  as  a guide  in  determining  the 
nature  and  scope  of  internal  eontrol  review  work  that  must  be  perfonned  to  enable  the  agency  Chief  Executive  Officer  to  eertify 
to  the  adequacy  of  his/her  agency’s  systems  of  internal  fiscal  and  administrative  control,  as  required  by  FCIAA-Section  3003. 

Source:  Comptroller 's  Supplement  to  SAMS  Manual  Procedure  2,  Internal  Control  Review  Checklist 


Office  of  the  Auditor  General 

• lies  Park  Plaza,  740  East  Ash  Street 
Springfield.  Illinois  62703-3154 

• Michael  A.  Bilandic  Building, 

160  N.  LaSalle  Street,  Suite  S-900 
Chicago,  Illinois  60601-3109 

Phone:  217-782-6046 

Fax;  217-785-8222 

TTY:  1-888-261-2887 

E-mail:  auditor@mail.state.il.  us 

Website:  www.auditor.illinois.gov 
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